Re: Mixing authentication type flags & By design Bug from MS ?
From: SLY (I_dont_need_your_Sp_at_mdot.com)
Date: 10/22/04
- Next message: Jondis: "Re: Accessing Directory Services from a SharePoint Web Part"
- Previous message: Ken Tucker [MVP]: "Re: Authentication question"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Mixing authentication type flags & By design Bug from MS ?"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Mixing authentication type flags & By design Bug from MS ?"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Mixing authentication type flags & By design Bug from MS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 22 Oct 2004 08:13:44 -0400
Hey Joe !! ;)
The job gets done with either one ...
Our problem is that when I try to use AuthenticationTypes.Secure
with any other flags, the SetPassword or ChangePassword is done
by DOMAIN\Administrator instead of the user we specify as
parameters ... (usr in this case)
DirectoryEntry root = new DirectoryEntry("LDAP://" + adsPath, usr, pwd,
AuthTypes);
In fact, Domain\Administrator is the logged user. If I log as a user
NOT in DomainAdministrators, neither SetPassword
nor ChangePassword work.
I wanted to use Signing and Sealing because of sensitive data.
Secure only won't encrypt data, just authentication ... Right?
Cheers,
Sly
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:ugSgyg7tEHA.1292@TK2MSFTNGP10.phx.gbl...
>I think I follow what you are saying. Is the issue with SetPassword and
>ChangePassword not working or are your secure binds to AD failing?
>
> The thing to know about SetPassword is that it tries to use and SSL/LDAP
> call under the hood as its first approach, then fails to a Kerberos call,
> then fails to NetUserSetInfo. ChangePassword does the same except that it
> doesn't use Kerberos and skips right to NetUserChangePassword.
>
> Generally, people have the best luck using SSL for managing passwords in
> my experience, especially in .NET apps and ASP.NET in particular.
>
> There is a trick you can do to set the password directly using a secure,
> encrypted (Windows, not SSL) bind and updating unicodePwd directly, but I
> haven't figured out how to get this to work with ChangePassword as ADSI
> doesn't seem to be able to create the correct LDAP mod structure.
>
> BTW, if you want to know for sure you got a Kerberos bind to AD and not
> NTLM, add the Delegation flag to your AuthenticationTypes.
>
> HTH,
>
> Joe K.
>
> "SLY" <I_dont_need_your_Sp@mdot.com> wrote in message
> news:eFcP9o6tEHA.3984@TK2MSFTNGP09.phx.gbl...
>> Good day Ladies, Gentlemen,
>>
>> Help needed or confirmation that it's a designed "feature" !
>>
>> We have a strange situation here.
>>
>> We once were using AuthenticationTypes.SecureSocketsLayer as in :
>> __________________________
>> public static DirectoryEntry SecureConnectDC(string adsPath, string usr,
>> string pwd)
>> {
>> DirectoryEntry root = new DirectoryEntry(Ldap.getDC() + adsPath, usr,
>> pwd, AuthenticationTypes.SecureSocketLayer);
>> return (root);
>> }But we would like to move up (!) to Kerberos Authentication ->
>> AuthenticationTypes.Secure.
>> -----------------------------------
>>
>> As describe in MSDN Libraries :
>>
>> "The Secure flag can be used in combination with other flags such as
>> ReadonlyServer, FastBind, and so on."
>>
>> So I tried using this code :
>> __________________________
>> public static DirectoryEntry SecureConnectDC(string adsPath, string usr,
>> string pwd)
>> {
>> DirectoryEntry root = new DirectoryEntry(Ldap.getDC() + adsPath, usr,
>> pwd, AuthenticationTypes.Signing | AuthenticationTypes.Secure |
>> AuthenticationTypes.Sealing);
>> return (root);
>> }
>> -----------------------------------
>>
>> Which is not working for us.
>>
>> With AuthenticationTypes..Secure | AuthenticationTypes..Sealing | etc
>>
>> Account Management Event ID 627 with User = ADMINISTRATOR
>>
>> With Only AuthenticationTypes..Secure :
>>
>> Account Management Event ID 627 with the correct user - the one that we
>> passed to our SecureConnectDC method
>> ____________________________
>> (more details is, we synchronise our Oracle users with AD and we have to
>> create accounts or change password securely.)
>>
>> Simply put, with Secure flag only it works but with combination of any
>> other flag - SetPassoord or ChangePassword method gets
>> Domain/Administrator credentials!
>>
>> Thank you for your time! Your precious time! So precious time.
>>
>> Sly
>> "I'm just an humble guy who's trying to save the world as we know it!"
>>
>
>
- Next message: Jondis: "Re: Accessing Directory Services from a SharePoint Web Part"
- Previous message: Ken Tucker [MVP]: "Re: Authentication question"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Mixing authentication type flags & By design Bug from MS ?"
- Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Mixing authentication type flags & By design Bug from MS ?"
- Reply: Joe Kaplan \(MVP - ADSI\): "Re: Mixing authentication type flags & By design Bug from MS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
